d8848c1a3b8c464f20a99142a7e319ac9c580768e888a52404c17cefae497606

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/10/2024, 08:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Chromestup翻译插件.msi
Size

2.6MB
MD5

75a1688aca4c2641659f060d86f6b612
SHA1

a1740d536b654d4a381c9089ce51dd2026efa819
SHA256

e7dcdf225c0edd20c920d918b05dab323ce787aae54768cd15ad406ac26e2ae9
SHA512

ce7169ac22f21c1010ea60eef8be106beae453929907d3beee8fd245fe7ec51e635846c6f8af4d80d2cd8a533bf994ae2490a3ed9b48467a009798b849baa80c
SSDEEP

49152:0FvHELEfBtQTIoWd4rUXs6kA+h5N3IaaLoWNAxOiZowguCIFVx0K5xU:0FveQQE5SBGkpIaavAQag67x0K5xU

Score

8^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2288	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe	MvUlJzZBELPG.exe
File created	C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe	MvUlJzZBELPG.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe	MvUlJzZBELPG.exe
File created	C:\Program Files\SupportInspiringAnalyzer\FNMdVxXPbyhsDeODMFqD	msiexec.exe
File created	C:\Program Files\SupportInspiringAnalyzer\MvUlJzZBELPG.exe	msiexec.exe
File created	C:\Program Files\SupportInspiringAnalyzer\valibclang2d.dll	msiexec.exe
File created	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.xml	MvUlJzZBELPG.exe
File created	C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ	MvUlJzZBELPG.exe
File created	C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.vbs	qDrRguPncUTJ.exe
File created	C:\Program Files\SupportInspiringAnalyzer\igc964.dll	msiexec.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.xml	MvUlJzZBELPG.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ	MvUlJzZBELPG.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe	MvUlJzZBELPG.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f7721d3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f7721d6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7721d4.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f7721d3.msi	msiexec.exe
File created	C:\Windows\Installer\f7721d4.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI22BD.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
2352	MvUlJzZBELPG.exe
2984	qDrRguPncUTJ.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1516	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MvUlJzZBELPG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qDrRguPncUTJ.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 90fadbf61429db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E	qDrRguPncUTJ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	qDrRguPncUTJ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	qDrRguPncUTJ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust"	qDrRguPncUTJ.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\24491C0B704EEA64697A08AA008DF996	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B7276BE3BE1D47343BD3B84AC7AC2320	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\Version = "117506049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\ProductName = "SupportInspiringAnalyzer"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\PackageCode = "7ED114DDD5473FB4B927257371DB7C73"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\PackageName = "Chromestup翻译插件.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B7276BE3BE1D47343BD3B84AC7AC2320\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\24491C0B704EEA64697A08AA008DF996\B7276BE3BE1D47343BD3B84AC7AC2320	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\Clients = 3a0000000000	msiexec.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2352	MvUlJzZBELPG.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2832	msiexec.exe
2832	msiexec.exe
2288	powershell.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe
2984	qDrRguPncUTJ.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1516	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1516	msiexec.exe
Token: SeRestorePrivilege	2832	msiexec.exe
Token: SeTakeOwnershipPrivilege	2832	msiexec.exe
Token: SeSecurityPrivilege	2832	msiexec.exe
Token: SeCreateTokenPrivilege	1516	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1516	msiexec.exe
Token: SeLockMemoryPrivilege	1516	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1516	msiexec.exe
Token: SeMachineAccountPrivilege	1516	msiexec.exe
Token: SeTcbPrivilege	1516	msiexec.exe
Token: SeSecurityPrivilege	1516	msiexec.exe
Token: SeTakeOwnershipPrivilege	1516	msiexec.exe
Token: SeLoadDriverPrivilege	1516	msiexec.exe
Token: SeSystemProfilePrivilege	1516	msiexec.exe
Token: SeSystemtimePrivilege	1516	msiexec.exe
Token: SeProfSingleProcessPrivilege	1516	msiexec.exe
Token: SeIncBasePriorityPrivilege	1516	msiexec.exe
Token: SeCreatePagefilePrivilege	1516	msiexec.exe
Token: SeCreatePermanentPrivilege	1516	msiexec.exe
Token: SeBackupPrivilege	1516	msiexec.exe
Token: SeRestorePrivilege	1516	msiexec.exe
Token: SeShutdownPrivilege	1516	msiexec.exe
Token: SeDebugPrivilege	1516	msiexec.exe
Token: SeAuditPrivilege	1516	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1516	msiexec.exe
Token: SeChangeNotifyPrivilege	1516	msiexec.exe
Token: SeRemoteShutdownPrivilege	1516	msiexec.exe
Token: SeUndockPrivilege	1516	msiexec.exe
Token: SeSyncAgentPrivilege	1516	msiexec.exe
Token: SeEnableDelegationPrivilege	1516	msiexec.exe
Token: SeManageVolumePrivilege	1516	msiexec.exe
Token: SeImpersonatePrivilege	1516	msiexec.exe
Token: SeCreateGlobalPrivilege	1516	msiexec.exe
Token: SeBackupPrivilege	2652	vssvc.exe
Token: SeRestorePrivilege	2652	vssvc.exe
Token: SeAuditPrivilege	2652	vssvc.exe
Token: SeBackupPrivilege	2832	msiexec.exe
Token: SeRestorePrivilege	2832	msiexec.exe
Token: SeRestorePrivilege	2616	DrvInst.exe
Token: SeRestorePrivilege	2616	DrvInst.exe
Token: SeRestorePrivilege	2616	DrvInst.exe
Token: SeRestorePrivilege	2616	DrvInst.exe
Token: SeRestorePrivilege	2616	DrvInst.exe
Token: SeRestorePrivilege	2616	DrvInst.exe
Token: SeRestorePrivilege	2616	DrvInst.exe
Token: SeLoadDriverPrivilege	2616	DrvInst.exe
Token: SeLoadDriverPrivilege	2616	DrvInst.exe
Token: SeLoadDriverPrivilege	2616	DrvInst.exe
Token: SeRestorePrivilege	2832	msiexec.exe
Token: SeTakeOwnershipPrivilege	2832	msiexec.exe
Token: SeRestorePrivilege	2832	msiexec.exe
Token: SeTakeOwnershipPrivilege	2832	msiexec.exe
Token: SeRestorePrivilege	2832	msiexec.exe
Token: SeTakeOwnershipPrivilege	2832	msiexec.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeRestorePrivilege	2352	MvUlJzZBELPG.exe
Token: 35	2352	MvUlJzZBELPG.exe
Token: SeSecurityPrivilege	2352	MvUlJzZBELPG.exe
Token: SeSecurityPrivilege	2352	MvUlJzZBELPG.exe
Token: SeRestorePrivilege	2832	msiexec.exe
Token: SeTakeOwnershipPrivilege	2832	msiexec.exe
Token: SeRestorePrivilege	2832	msiexec.exe
Token: SeTakeOwnershipPrivilege	2832	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1516	msiexec.exe
1516	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2940	2832	msiexec.exe	35
PID 2832 wrote to memory of 2940	2832	msiexec.exe	35
PID 2832 wrote to memory of 2940	2832	msiexec.exe	35
PID 2832 wrote to memory of 2940	2832	msiexec.exe	35
PID 2832 wrote to memory of 2940	2832	msiexec.exe	35
PID 2940 wrote to memory of 2288	2940	MsiExec.exe	37
PID 2940 wrote to memory of 2288	2940	MsiExec.exe	37
PID 2940 wrote to memory of 2288	2940	MsiExec.exe	37
PID 2940 wrote to memory of 1876	2940	MsiExec.exe	39
PID 2940 wrote to memory of 1876	2940	MsiExec.exe	39
PID 2940 wrote to memory of 1876	2940	MsiExec.exe	39
PID 1876 wrote to memory of 2352	1876	cmd.exe	41
PID 1876 wrote to memory of 2352	1876	cmd.exe	41
PID 1876 wrote to memory of 2352	1876	cmd.exe	41
PID 1876 wrote to memory of 2352	1876	cmd.exe	41
PID 2940 wrote to memory of 2984	2940	MsiExec.exe	43
PID 2940 wrote to memory of 2984	2940	MsiExec.exe	43
PID 2940 wrote to memory of 2984	2940	MsiExec.exe	43
PID 2940 wrote to memory of 2984	2940	MsiExec.exe	43

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Chromestup翻译插件.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1516

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 7DC7850FD0719F2E4D810EB151205C32 M Global\MSI0000
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\SupportInspiringAnalyzer'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start "" "C:\Program Files\SupportInspiringAnalyzer\MvUlJzZBELPG.exe" x "C:\Program Files\SupportInspiringAnalyzer\FNMdVxXPbyhsDeODMFqD" -o"C:\Program Files\SupportInspiringAnalyzer\" -prcyZypXSeJJwJRguypsQ -y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Program Files\SupportInspiringAnalyzer\MvUlJzZBELPG.exe
      "C:\Program Files\SupportInspiringAnalyzer\MvUlJzZBELPG.exe" x "C:\Program Files\SupportInspiringAnalyzer\FNMdVxXPbyhsDeODMFqD" -o"C:\Program Files\SupportInspiringAnalyzer\" -prcyZypXSeJJwJRguypsQ -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:2352
- - C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe
    "C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe" -number 148 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A8" "00000000000005B8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7721d5.rbs

Filesize
7KB

MD5
cf0a9bd3bf56d13072ae017024dc9dfc

SHA1
272898503cf57a1fb863dcf0a92e2b2b7c7332f1

SHA256
f163263f9da674e1bebf0e9bd07a1ef08fea8455660313e502d9d10cc8c739aa

SHA512
c720fdd5617832f8b04864e837fdd917bd1c55557c159ffda77a8f172eefa883c513dc752bceddc159ec45b06b13078151a4197d558706318d991652eeb3df68

Download Submit
C:\Program Files\SupportInspiringAnalyzer\FNMdVxXPbyhsDeODMFqD

Filesize
2.1MB

MD5
c7cdf5fa91fac8b086ba6edc3ae1b9ab

SHA1
368c29d03ed4d63dfccadc084f0a9bdc0d73d05a

SHA256
2cae8d7add88dee6f87be346aa29d0230d7e0b6e60d9a63bb93778151a7687c2

SHA512
eac0accda6562d66e328e8f0cf0b6e356ffc4436ab3bacd1eed8d0a80699db0491b97fd4c30dcc8976b10986f7d9810a334196297840543373836f0f19e4b9dc

Download Submit
C:\Program Files\SupportInspiringAnalyzer\MvUlJzZBELPG.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe

Filesize
2.8MB

MD5
b96aaab7556936945af7a07a91c79052

SHA1
b259e2d3e190fc0f52f3007303e3662eafc28d66

SHA256
e84b46614d3d41be225904cdcdeb1bb3fe57cb3c26b397591d803fb8e10546db

SHA512
e1c08a5ea793f7daadf3746d1bbae62d96637e4d00d39162803aaec140c60146bba6ff372221146416d7ad93fee51cf800b8e0626fb8ec355c6659104959502f

Download Submit
C:\Windows\Installer\f7721d3.msi

Filesize
2.6MB

MD5
75a1688aca4c2641659f060d86f6b612

SHA1
a1740d536b654d4a381c9089ce51dd2026efa819

SHA256
e7dcdf225c0edd20c920d918b05dab323ce787aae54768cd15ad406ac26e2ae9

SHA512
ce7169ac22f21c1010ea60eef8be106beae453929907d3beee8fd245fe7ec51e635846c6f8af4d80d2cd8a533bf994ae2490a3ed9b48467a009798b849baa80c

Download Submit
memory/2288-17-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2288-18-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2940-12-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/2984-44-0x000000002B060000-0x000000002B08F000-memory.dmp

Filesize
188KB

Download